Club Shield deploys and monitors a single Cloudflare WAF rule on each protected zone.
To do this it needs a read/write token scoped to one permission on one zone only.
This guide walks through creating that token safely.
What Club Shield does NOT need
Club Shield does not need account admin access, DNS edit rights, billing access, user management,
or any access beyond a single WAF permission on a single zone. Any token broader than this
should not be used. If in doubt, use the instructions below exactly.
Part 1 — Find the Zone ID
The Zone ID is a 32-character code that identifies the Cloudflare zone for the club's domain.
It is not a secret — it appears in the Cloudflare dashboard and is safe to share.
1
Log in to the Cloudflare dashboard
Navigate to dash.cloudflare.com and log in to the account that manages the club's domain.
2
Select the club's zone
On the home screen, click the domain name for the club (e.g. arbutusclub.com).
3
Copy the Zone ID
On the zone overview page, scroll down the right sidebar. Under
API you will see
Zone ID — a 32-character hexadecimal string. Copy it.
It looks like: a1b2c3d4e5f6789012345678abcdef01
Zone ID for this engagement:
Part 2 — Create the Scoped API Token
1
Open API Token settings
Click your profile icon (top right) → My Profile → API Tokens tab
→ Create Token.
2
Choose "Create Custom Token"
Scroll past the templates and click Get started under Create Custom Token.
Do not use any of the preset templates.
3
Set the token name
Use a descriptive name that identifies the scope:
Token Name
Club Shield — arbutusclub.com — WAF
4
Set the permission — exactly one
Under
Permissions, click
Add more and set:
Permission
Firewall Services
This grants read and write access to WAF custom rules only.
No other Cloudflare settings are accessible with this permission.
5
Restrict to one zone
Under
Zone Resources, change the dropdown from
All zones to:
Include
Specific zone → arbutusclub.com
This is critical. The token must be zone-specific, not account-wide.
6
Set an expiry (recommended)
Under
TTL, set an end date 90 days from today.
Club Shield will alert you before expiry so the token can be renewed or rotated.
An expiring token limits exposure if it is ever compromised.
7
Create and copy the token
Click Continue to summary → review the permissions → Create Token.
Copy the token value immediately — Cloudflare shows it only once.
Part 3 — Verify the Token Works
Run this command to confirm the token has the correct access before handing it over.
Replace the placeholders with the Zone ID and token you just created.
curl -s -o /dev/null -w "%{http_code}" \
https://api.cloudflare.com/client/v4/zones/ZONE_ID_HERE/rulesets/phases/http_request_firewall_custom/entrypoint \
-H "Authorization: Bearer TOKEN_HERE"
Expected results
200 — token works, WAF ruleset exists on this zone
404 — token works, no custom WAF rules deployed yet (this is the expected state before Club Shield deploys)
401 — token is invalid or expired, recreate it
403 — token lacks the Firewall Services permission or is scoped to the wrong zone
Part 4 — What Club Shield Does With the Token
| Action |
Uses token? |
What it does |
| Deploy WAF rule |
Yes |
Adds one rule to the zone's custom WAF ruleset. No other settings touched. |
| Verify shield status |
Yes |
Reads the ruleset to confirm the rule is present, expression is correct, and rule is enabled. |
| Remove or modify other rules |
Never |
Club Shield reads existing rules to preserve them but never modifies rules it did not create. |
| Access DNS records |
Never |
Token does not have DNS permission. DNS is not readable or writable. |
| Access billing, users, or account settings |
Never |
Token is zone-scoped. Account-level data is not accessible. |
| Read member data or website content |
Never |
Token only grants access to Cloudflare API, not to the website or its data. |
Part 5 — Storage and Revocation
Storage: Club Shield stores the token in Cloudflare KV (encrypted at rest, accessible only to
the Club Shield Worker). It is never logged, transmitted unencrypted, or accessible from the dashboard UI.
Rotation: Tokens can be rotated at any time. Create a new token using the same steps above,
update the Club Shield config, and the old token can be revoked immediately.
Revocation: To revoke at any time — Cloudflare dashboard → My Profile → API Tokens →
find the token by name → click Roll or Delete. Club Shield will detect
the revoked token on the next sweep and fire a [SHIELD CREDS INVALID] alert.
Summary — What to Provide
Zone ID
[ 32-char hex — from zone overview sidebar ]
API Token
[ shown once at creation — copy immediately ]
Permission granted
Zone → Firewall Services → Edit
Zone scope
arbutusclub.com only
Expiry
90 days (renewable)